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ON THE MINIMUM DISTANCE OF ELLIPTIC CURVE CODES 


JIYOU LI, DAQING WAN, AND JUN ZHANG 


Abstract. Computing the minimum distance of a linear code is one of the 
fundamental problems in algorithmic coding theory. Vardy showed that 
it is an NP-hard problem for general linear codes. In practice, one often uses 
codes with additional mathematical structure, such as AG codes. For AG 
codes of genus 0 (generalized Reed-Solomon codes), the minimum distance 
has a simple explicit formula. An interesting result of Cheng [3] says that 
the minimum distance problem is already NP-hard (under RP-reduction) 
for general elliptic curve codes (ECAG codes, or AG codes of genus 1). In 
this paper, we show that the minimum distance of ECAG codes also has a 
simple explicit formula if the evaluation set is suitably large (at least 2/3 of 
the group order). Our method is purely combinatorial and based on a new 
sieving technique from the first two authors [8]. This method also proves 
a significantly stronger version of the MDS (maximum distance separable) 
conjecture for ECAG codes. 


1. Introduction 

Let F” be the n-dimensional vector space over the finite field with q elements. 
For any vector x = (xi,X 2 ,--- ,Xn) G F^, the Hamming weight Wt(a:) of x is 
defined to be the number of non-zero coordinates, i.e., 

Wt(a;) = # {/11 ^ ^ n, Xi 0} . 

A linear [n, k] code C is a fc-dimensional linear subspace of F”. The minimum 
distance d{C) of C is the minimum Hamming weight of all non-zero vectors in U, 
i.e., 

d(C) = min{Wt(c) I c G C \ {0}} . 

A linear [n, k] code C C F^ is called a [n, k, d] linear code if C has minimum distance 
d. A well-known trade-off between the parameters of a linear [n, fc, d] code is the 
Singleton bound which states that 

d ^ n — k + 1 . 

An [n, fc, d] code is called a maximum distance separable (MDS) code if d = n — k+1. 
The dual code C'^ of C is defined as the set 

{a; G F” I X • c = 0 for all c G C} , 

where x • c is the inner product of vectors x and c, i.e., 

X • C = XiCi -I- X2C2 -I--I- x„c„ . 

The work of Jiyou Li is supported by the National Science Foundation of China (11001170) and 
Ky and Yu-Fen Fan Fund Travel Grant from the AMS. The research of Daqing Wan is partially 
supported by NSF. This research of Jun Zhang is supported by the National Key Basic Research 
Program of China (2013CB834204), the National Natural Science Foundation of China (61171082, 
10990011 and 60872025). 


1 



2 


JIYOU LI, DAQING WAN. AND JUN ZHANG 


Computing the minimum distance of a linear code is one of the most important 
problems in algorithmic coding theory. It was proved to be NP-hard for general 
linear codes in M- The gap version of the problem was also shown to be NP- 
hard in . And the same paper showed that approximating the minimum distance 
of a linear code cannot be achieved in randomized polynomial time to the factor 
2 iogi-'n g RTIME(2P°'y'°s('*)). In [4], Cheng and the second author 

derandomized the reduction and showed there is no deterministic polynomial time 
algorithm to approximate the minimum distance to any constant factor unless NP = 
P. And they proved that approximating the minimum distance of a linear code 
cannot be achieved in deterministic polynomial time to the factor 2*°® '" unless 
NP C RTIME(2P°'y'°8(")). 

Despite the above complexity results, it is more interesting to compute the mini¬ 
mum distance of linear codes that are used in practical applications. An important 
class of such codes is algebraic geometry (AG) codes with parameters [n, k, d\ as 
defined in Section 4. The minimum distance of such AG codes from algebraic curves 
of genus g is known to satisfy the inequality 


n — fc — (7-|-l<d<n — /c-l-I. 


In the simplest case g = 0, i.e., generalized Reed-Solomon codes, the minimum 
distance has the simple formula d = n — k + 1. In the next simplest case g = 1, 
either d = n—k or d = 'n—k+l, and Gheng [3] showed that determining the 
minimum distance of ECAG codes between the two options is NP-hard under RP- 
reduction. For genus 5 > 2, there is no such complexity result so far. But it is 
believed to be an NP-hard problem as well. 

We are interested in positive results for determining the minimum distance of 
ECAG codes. It was shown in [3], and also in [16] from a different aspect, that 
computing the minimum distance of an ECAG code is equivalent to a subset sum 
problem (SSP) in the group of rational points on the elliptic curve. We now make 
this more precise. 

Let E be an elliptic curve over the finite field Fg. Let G be the group of Fg- 
rational points on the elliptic curve E. The Hasse bound shows that ||G| — (g-f 1)| < 
2^. Let D C G be a nonempty subset of cardinality n, which will be our evaluation 
set for ECAG code. For a positive integer 1 < A: < n < |G| and element b G G, let 
N{k,b,D) be the number of fc-subsets T C D such that The counting 

version of the fc-subset sum problem for the pair (G, D) is to compute N{k, b, D). 
The minimum distance of the ECAG [n, fcj-code is equal to n — fc if and only if the 
number N{k,b,D) is positive. This fc-subset sum problem is in general NP-hard 
if the evaluation set D is small. On the other hand, the dynamic programming 
method implies that there is a polynomial time algorithm to compute N(fc, &, D) if 
n = \D\ is large, say, n = IG]"^ for some constant (5 > 0. 

In this paper, we obtain an asymptotic formula for N{k,b^D) if n = \D\ is 
suitably large, say, |D| > (| -|- e)|G|. As an application, we show that if the 
cardinality n of the evaluation set is suitably large (at least 2/3 of the group order), 
then the minimum distance of an ECAG code [n, k] is always n — k. We conjecture 
that the condition \D\ > (|-|-e)|G| in our results can be improved to \D I > (^+e)|G'l- 
Our main technical tool is the sieve method of the first two authors [Sj. 
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To describe the asymptotic formula, we introduce more notations. Let G be the 
group of additive characters of G. Note that G is isomorphic to G. Define 

$(!?)= max |^x(a)|. 
xeG.x/xo 

Our main technical result is the following asymptotic formula for N{k, b, D). 


Theorem 1.1. Notations as above. We have 

\^f^D) + k 

k 


N{k,b,D)-\G\- 


< 


- 1 


|G|V 

1 

|G| 


m( 


2 

k 


+ T7v y. m 


2<d<k 

d|exp(G) 


n+$(D) 


+ k — 1 


where S is the set of characters in G which have order greater than k and exp(G) 
is the exponent of G. 


We apply this theorem to determine the minimum distance of ECAG codes (for 
details see Section |3|) and obtain 

Theorem 1.2. Suppose that n > (| + e)g and q > ^, where e is positive. There 
is a positive constant Gj such that if Ge In q < k < n — G^lnq, then ECAG codes 
[n, k\ have the deterministic minimum distance n — k. 


If we allow the length of the codes to be larger, we then have a better bound on 
k. 


Theorem 1.3. If n> q + 2, then for g > 64 and 3 < k < q — 1, then ECAG [n, k] 
codes have the deterministic minimum distance n — k. 


Since one can check the cases g < 64 by a computer search, we have a complete 
result for the minimum distance of the ECAG code [n, fc] if n > g + 2. This gives 
a new proof of MDS conjecture on ECAG codes, in a purely combinatoric method. 
We now explain this application and its improvement. 

Recall that an [n^k,d] code is called a maximum distance separable (MDS) code 
A d = n — k + 1. MDS codes have a lot of advantages [10]. However, MDS codes 
are very rare, and so far, not too many MDS codes have been found. The Main 
Gonjecture on MDS Godes states that for every linear [n,k] MDS code over F^, if 
1 < A: < g, then n < g + 1, except when g is even and fc = 3orfc = g—1, in which 
cases n < g + 2. 

The most well-known MDS codes are Reed-Solomon codes. Since the evaluation 
set of a Reed-Solomon code can not exceed the finite held, the MDS conjecture 
always holds in this case. The MDS conjecture was proved whenever g < 11 or 
A: < 5 by using the theory of hnite geometries. Since the most popular candidates 
for MDS codes are the Goppa codes constructed from algebraic curves of small 
genus and algebraic geometry (AG) codes, people turned to concentrate the MDS 
conjecture for AG codes. As AG codes have algebraic and geometric properties, 
there are a lot of new algebraic-geometric methods to apply, while the general MDS 
property is more of a combinatorial property. The MDS conjecture for EGAG codes 
was hrst proved by Katsman and Tsfasman in [7]. Munucra m translated the 
conjecture for AG codes to another conjecture concerning the arithmetic of the 
curves. He then proved it for codes arising from elliptic curves, and curves of genus 
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2 when g > 83. Walker [15] presented a new approach to the problem in the case 
of elliptic curves by proving a statement about the geometry of the curve after a 
certain embedding. 

In the case of hyperelliptic curves, for fixed genus g, Moer |5] showed that MDS 
conjecture holds when q is big enough. Chen [I] proved that there is a constant 
C{g) depending only on the genus g such that the MDS conjecture is true when 
q > C{g). And later in |2] Chen and Yau gave an upper bound of C{g) which 
not only affirmatively answered the question asked by Munucra in m, but also 
improved the result in [^ a lot. 

As we pointed out that the minimum distance of an ECAG code has only two 
options and determining it is equivalent to an SSP problem, the MDS conjecture on 
ECAG codes is naturally reduced to a subset sum problem of the group of rational 
points on the elliptic curve. By Theorem 11.31 we have 

Theorem 1.4. For q > 64, MDS conjecture for ECAG codes holds. 

By Theorem 11.21 if some restriction on the dimension k is allowed, we can sig- 
nihcantly improve the lower bound q + 2. 

Theorem 1.5. Suppose that n > (| + e)q and q > -p, where e is positive. Then 
there is a positive constant such that */ Cg In g < k < n — Cg In g, then there is 
no MDS ECAG code with parameter [n,k]. 

For small k, one can directly check if the ECAG code is MDS or not. For large 
fc, by the duality, it can be reduced to the former case. From Theorem 11.51 we shall 
see that to get a long MDS code for fixed alphabet size g, Reed-Solomon codes are 
always the best choices. 

This paper is organized as follows. Section 2 recalls the sieve method of the 
first two authors. Section 3 uses the sieve method to get an estimate of counting 
subset sum problems on any large subset of the rational point group of an elliptic 
curve. And Section 4 describes the relation between minimum distance of ECAG 
codes and subset sum problems on the evaluation set of the ECAG code. The main 
theorems of this paper then follow. 


2. A DISTINCT COORDINATE SIEVING FORMULA 


In this section we introduce a sieving formula discovered by Li-Wan | 8 ]. It 
significantly improves the classical inclusion-exclusion sieve in several important 
cases. We recite it here without proof. For details and related applications, we 
refer to lain. Before we present the sieving formula, we introduce some notations 
valid for the whole paper. 

• Let D be an alphabet set, X a finite set of vectors of length k over D. 

• Denote X = {(xi, ai2, • • • ,Xk) € A | Xi Xjfii j'\ the pairwise distinct 
component subset. 

• Let Sk be the symmetric group on {1,2,--- ,k}. For r G Sk, the sign 
function is defined to be sign(r) = (—where l(r) is the number of 
cycles of r including the trivial cycles which have length 1. 

• Let T = {iii 2 ---iai){jij 2 ---ja 2 )---ihh---las) with 1 < Ui, 1 < * < s be 
any permutation, denote the r-symmetric subset 


A, = 


I {x\^ ... ^ Xk') G A I Xi 

Xi^ = ■ ■■ = Xi^^ } . 


• = Xi, 


( 2 . 1 ) 
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• Let f{xi,X 2 , . ■ .,Xk) be a complex valued function defined on X. Denote 
the distinct sum 

F = ^ f[xi,X2,...,Xk), 

and the r-symmetric sum 

Ft = ^ f{xi,X 2 ,...,Xk). 

We now present the sieving formula found in [5]. 

Theorem 2.1. Let F and Ft he defined as above. Then 

F = signer)F t. (2.2) 

T&Sk 

We notice that in this formula, there are at most k\ terms (computable in many 
cases), which is significantly smaller than the needed number of terms by 

traditional sieving approach. 

For T G S'fe, let r denote the conjugacy class determined by r whose elements 
are permutations conjugate to r. Conversely, in the case that we denote a conju¬ 
gacy class by T G Cfc, T is a correspondent representative permutation. Since two 
permutations in Sk are conjugate if and only if they have the same type of cycle 
structure, Ck is exactly the set of all partitions of k. 

The symmetric group of k elements, Sk, acts on naturally by permuting coor¬ 
dinates. Given t G Sk and x = {xi,X 2 ,... ,Xk) G , tox = {xT(i),XT( 2 )t • ■ •) ^T^k))- 
A subset X in is defined to be symmetric if for any x G X and any t G Sk, 
T o X G X . In particular, if X is symmetric and / is a symmetric function under 
the action of Sk, we then get the following useful counting formula for (12.2|) . 

Proposition 2.2. Let Ck he the set of conjugacy classes of Sk- If X is symmetric 
and f is symmetric, then 

F= ^ sign(r)C(r)F,, (2.3) 

r^Cfc 

where C{t) is the number of permutations conjugate to r. 


For the purpose of our proof, we will also present several combinatorial formulas. 
A permutation t G Sk is said to be of type (ci, C 2 , • • • , Cfe) if r has exactly Ci cycles 
of length i. Denote by N(ci, C 2 ,..., Ck) to be the number of fc-permutations of type 
(ci, C 2 ,..., Cfc). It is well known that 


N{ci,C 2, ...,Ck) 


_ fc! _ 

C^ci\ 2^'^C2\ ■ ■ ■ k'^^Ck^. 


Lemma 2.3. If we define the generating function 

Ck{ti,t2,...,tk) = ^ N{ci,C2,...,Ck)t\H'fi---Fff, 

ici — k 


and set ti = t2 = ■ ■ ■ = tk = q, then 

Ck{q,q,...,q) = T,J:^ci=k C 2 ,..., Ck)q’'^q‘'^ ■ ■ ■ q‘"‘ 
= {q + k-l)k 



6 


JIYOU LI, DAQING WAN, AND JUN ZHANG 


If we set ti = q for d \ i and U = s for d\ i, then 

d-l d-l 

Ck(s~'^~Ts,q,'s~^'~~s,qr ■ ■) 


3. Subset Sum Problem in a Subset of the Rational Point Group 

Lemma 3.1 (Hasse-Weil Bound). Let E he an elliptie curve over the finite field 
Fq. Then the number of rational points on E has the following estimate 

\ffE{¥,)-q-l\<2^. 

Lemma 3.2 (Structure of Rational Point Group). A group G of order N = g+1—m 
is isomorphic to E{¥q) for some elliptic curve E over Fg if and only if one of the 
following conditions holds: 

(i) {q, m) = 1, \m\ < 2y/q and G = Z/A ’x'LfB where B\{A, m — 2). 

(a) q is a square, m = E2y/q and G = {I^IAY where A = 1- 

(Hi) q is a square, p = 1 { mod 3), m = ±,/q and G is cyclic. 

(iv) q is not a square, p = 2 or 3, m = Ey/pq and G is cyclic. 

(v) q is not a square, p = 3 ( mod 4), m = 0 and G is cyclic or q is a square, 
p = 1 { mod 4), m = 0 and G is cyclic. 

(vi) q is not a square, p = 3 ( mod 4), m = 0 and G is either cyclic or G = 

IjM X Z/2 where M . 

According to Lemma [32] on the structure of E(¥q), we may suppose that G = 
E{¥q) = llnx X Z/n 2 is a finite abelian group. By Lemma 13.11 G has order 
<7 + 1 + c,Jq, with |c| < 2. Denote by exp(G) the exponent of G. Let D G G 
be a nonempty subset of cardinality n. Let G be the group of additive characters 
of G. Note that G is isomorphic to G. Define s^{D) — YaG£>A(fl) and $(D) = 
max^gg^^^^ |s,^(D)|. Let N{k,h,D) be the number of fc-subsets T C D such 
that Ya;GS X = b. In the following theorem we will give an asymptotic bound for 
N{k,b,D) which ensures N{k,b,D) > 0 when G — D is not too large compared 
with G. 


Theorem 3.3. Let N{k,b,D) he defined as above. 
N(k,b,D) - ICr^ 


^\^/^D) + k-l 

-|G|V k 


. /r!,+$(U) 

^ ' 2 
k 


|G| 


1 

M 




2<d<k 

d|exp(G) 


n+$(D) 


+ k—l 


(3.1) 


where S is the set of characters which has order greater than k. 


Proof. Let X = DxDx---xD he the Cartesian product of k copies of D. 
Let X = {^{x\,X 2 ,.. ■ ,Xk) € \ Xi ^ xj, Vi ^ j}} • It is clear that |X| = and 

|X| = (n)fe. We have 
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k\N{k,b,D) = \G\ ^ ^ ^x(a;i+a; 2 H- V Xk - b) 

(xi,X2,...a:fc)GA ^GG 

= + icr^ ^ x{xi)x{x 2 )---x{xk)x~^{b) 

XT^Xo (a^i,a;2,"-a;fc)GX 

k 

= ic?r^(n)fe + icr^ ^ Y 

X^XO {xi,X2,---Xk)^X 

Denote f^{x) = f^{xi,X 2 , ...,Xk) = OLi x{xi)- For r £ Sk, let 

k 

^rix) = Y H 

x^Xt x£Xt i—1 

where Xr is defined as in m- Obviously X is symmetric and fx{xi,X 2 , ■ ■ ■ ,Xk) 
is normal on X. Applying (12.31) in Corollarv l2.21 we get 

k\N{k,b,D) = \G\-^{n)k + \G\-^ Y X-\b) Y sign(r)C'(T)F,(x), 

X^Xo r£Ck 

where Gk is the set of conjugacy classes of Sk, G(t) is the number of permutations 
conjugate to r. If r is of type (ci, C 2 ,..., Cfc), then 

k 

Prix) = Y 

xGXt- i—1 

Cl C2 Cfc 

“ ^ ^ J_ xi^i) X {^ci-\-2i) ■ ■ ■ X (^ci+C2H- \-ki) 

x£Xt i—1 i—1 i—1 

k 

=nc 

i—1 a^D 


where mi{x) = 1 if x* = 1 s-nd otherwise rriiix) — O- 

Now suppose ord(x) = d with d \ nin 2 - Note that G{t) = N{ci,C 2 , ■ ■ ■, Ck). In 
the case d = 2, s^{D) is an integer. Applying Lemma E751 we have 

^ sign(T)C(T)F.(x) 

T^Ck 

r^Cfc 


+ z — 1\ f—s^{D) k — 2i — 1 


i^O 

[fc/ 2 j y n—s^{D) 

= k\Y 


k — 2i 


< kl 


i=0 
n+<I>(D) 
2 
k 


SxiD) 
k — 2i 
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The last inequality in the case s^{D) > 0 is from the identity 

k 

EC 


i=0 


b 

k — I 


a + b 

k 


In the case s^{D) < 0, since the summation has alternative signs, the inequality 
follows from a simple combinatorial argument. 

In the case 3 < d < k, since |s^(Z3)| < we have 

sign(r)C'(r)F^(x) 

T^Ck 

T^Ck 

' n+^(D) 

< k\{ 


+ fc — 1 


Similarly, if ord(x) is greater than k, then 

^ sign(r)C'(T)F.(x)<fc!(‘^^^^+*"^y 

TdCk ^ ^ 

Let S be the set of characters which have order greater than k. Summing over 
all nontrivial characters, we obtain 


N{k,b,D)-\G\ 


-1 


< 


\Yf^iD) + k-l\ 

|G| 1 k |G| 


2 

k 


jq E ■*(<'> 

I I 2<d<k 

d|exp(G) 


n+$(D) 


+ k — 1 


where (j>{d) is the number of characters in G of order d. This completes the proof. 

□ 


Corollary 3.4. We have 


N{k,b,D)-\G\ 


-i n 


< 


where M is defined as 




n+^»(D) 

2 

k 


n+<J>(Z)) 


+ k — 1 


k 


and d is the smallest nontrivial divisor of |G| that is not equal to 2. 

Corollary 3.5. Let q > 64 and n = q+2. For 6 < k < q—1, we have N{k, b,D) > 0 
for every b G G. 

Proof. By symmetry it is sufficient to consider the case 3 < k < n/2. To ensure 
N{k, b, D) > 0, by (13.11) it suffices to have 


> 1^1 


4>(£i) + fc - 1 

k 


2 

k 


/n+<i>(D) , , 


2<d<k 

(i|exp(G) 
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For a nontrivial character x, J2geG xig) = 0 and it follows that ^{D) = ^{G—D) < 
\G\-\D\ <2^+1. 

Since G is the product of at most two cyclic groups, by the definition of (^(d) we 
have (j){d) < (P — 1. For simplicity, set K = — 2k^ — k + 2. For the case k < 

it is sufficient to have 



{q + 2y/^-K) 




(? + 2 + 2y^ 

2 \-K[ 






> 0 . 


When fc = 3, one has 

125/216g^ - 379/36q'^/2 - 589/18g2 + 5m/27q^^^ + 149/2q + 67/Sq^^^ > 0 


It then suffices to have q > 432. 

Similarly, when fc = 6, one has q > 64. This is done by first taking K = 
k^ -2k^ - k + 2 = 140, we solve that q > 97. But notice that now K should be 
< 117. Then taking K = 117, we solve q > 79. Iteratively, we can get g > 64 
finally. 

One checks that when k < this function is unimodal on k. For g^/^ < k < 
(g + 2^)/6, it then suffices to have 



/ q+2+2y/q \ 

> (g + 2 + 2 y^)^ 2 j 


and for (g + 2 y ^)/6 < fc < (g + 2 )/ 2 , 



> (g + 2 + 2^/q) 


i±^ + k- 



It follows from a simple asymptotic analysis and the proof is complete. □ 


A similar argument gives 

Corollary 3.6. Suppose that n > (| + e)g and q > , where e is positive. Then 

there is a positive constant such that N{k, b, D) > 0 for every b G G provided 
Ce In g < fc < n — Ce In g. 


Proof. Similar to the proof of the corollary above, we consider the case k < n/2. 
To ensure N{k, &, D) > 0, by (13.111 it suffices to have 





+ k — l 


+ 


n+<J>(Z)) 

2 

k 




n+$(D) 


+ fc — 1 


(i|exp(G) 


For a nontrivial character y, J2geG xid) = 0 and it follows that $(Z1) = ^{G—D) < 

|G| — |Z1| < (| — e)g + Sy/g + 1. 

For small fc < g /6 it suffices to have 


-(<7 + 


2 v^)( 


/ q-\-2-\-2y/q 
2 
k 


> 0 , 


i.e., 


and then 


(2/3g)fc 

((g + 2 + 2 ^)/ 2 )fe 


> g + 2 v^, 


2/3g 

(g + 2 + 2^)/2 


k 

> g + 2 i/g, 
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which holds when 

k> Cinq 

for some constant C. 

For ( 7/6 < k < n/2 = (i + |)g, it suffices to have 

which holds when q > -^ and 

fc > Ce In g 

for some constant C^. So, the proof is complete. 

□ 

From the proof of the above corollary, if follows that 

Corollary 3.7. Suppose n > (| + e)q, where e is positive and e < 1/3. When q 
is large enough (in application we need to use long length codes, so it is reasonable 
to assume q is large), then there is a positive constant C (independent of e and q) 
such that N{k,b,D) > 0 for every b € G provided Clng < k < n — Cinq. 

4. Minimum Distance of Elliptic Codes and SSP 

In this section, we discuss the relationship between the minimum distance of 
ECAG code and SSP on the group of rational points of the elliptic curve. Us¬ 
ing the results in the previous section, our main theorems in Introduction follow 
automatically. 

We fix some notations for this section; 

• X/¥q is a geometrically irreducible smooth projective curve of genus g over 
the finite field Fg with function field Fg(X). 

• X(Fq) is the set of all ¥q-rational points on X. 

• D = {Pi, P 2 , ■ ■ ■ , Pn} is a proper subset of rational points Ai(Fq). 

• Without any confusion, we also write D = Pi + P 2 + ■■■ + Pn- 

• G is a divisor of degree k (2g — 2 < k < n) with Supp(G) fl D = 0. 

Let U be a divisor on X. Denote by .^{V) the F^-vector space of all rational 
functions / S Fg(J'f) with the principal divisor div(/) > —V, together with the zero 
function (cf. [I3])- It is well-known that -S?(U) is finite dimensional vector space 
over Fg and dim.if(U) = k — g + 1. 

The functional AG code C^{D,G) is defined to be the image of the following 
evaluation map: 

ev : .if(G) ^ F-; / ^ (/(Pi), /(P 2 ), • • • , /(P„)). 

As functions in .^{G) have at most degG zeros, the minimum distance of 
C^{D,G) is d ^ n — k. Together with Riemann-Roch theorem, it is easy to 
see that the functional AG code C^{D, G) has parameters [n,k — g + l,d ^ n — k]. 
By the Singleton bound, we have 

n — k<d<n — k + g. 

If AT = P is an elliptic curve over Fg, we only have the following two choices for 
the minimum distance of C^{D,G): 

d = n — k, 01 d = n — k + 1. 
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Let G be an abelian group with zero element O and D a finite subset of G- For 
an integer 0 < A: < \D\ and an element b G D, we denote 

Ng{k,b,D) = #{S CD\#S = k and ^x = 5}. 

x^S 

Computing Ng{k, b, D) is called the counting version of the k-subset sum problem 
(fc-SSP). In general, the counting fc-SSP is NP-hard. If there is no confusion, we 
simply denote 

N{k,b,D) = Ng{k,b,D). 

Let E be an elliptic curve defined over F, with a rational point O. The set of 
rational points E{¥q) forms an abelian group with zero element O (for the definition 
for the sum of any two points, we refer to m), and it is isomorphic to the Picard 
group div°(£’)/Prin(Fq(£l)) where Prin(Fq(iil)) is the subgroup consisting of all 
principal divisors. Denote by © and 0 the additive and minus operator in the 
group Fl(Fq), respectively. 

Proposition 4.1 ('[31116)1. Let E be an elliptic curve over F^, D = {Pi,P 2 , • • • , Pn} 
a subset of E{¥q) such that rational points (not necessarily distinct) 0,P ^ D and 
let G = (k — 1)0 + P (0 < k < n). Endow E{¥q) a group structure with the zero 
element O. Then the AG code C^{D, G) is MDS, i.e., d = n — k + 1 if and only if 

N{k, P,D)=0 . 

And the minimum distance d = n — k if and only if 

N(k, P,D)>0 . 

Proof. We have already seen that the minimum distance of G^{D^G) has two 
choices: n — k, n — k + 1. So C_^{D, G) is not MDS, i.e., d = n — k \1 and only 
if there is a function / S Jf(G) such that the evaluation ev{f) has weight n — k. 
This is equivalent to that / has k zeros in D, say Pi.^ ,■■■ , Pif. ■ That is 

div(/) > —{k — 1)0 — P + {Pi^ H-+ Pi,,), 

which is equivalent to 

div(/) = —{k — 1)0 — P + (Pq H-+ Pi,,). 

The existence of such an / is equivalent to saying 

Pi © • • • © P*, = P 

Namely, N{k, P, D) > 0. It follows that the AG code C^{D, G) is MDS if and only 
if iV(fc, P, P) = 0. □ 

Remark 4.2. In general, if G is a divisor of degree k on E, then for any rational 
point Q G E{¥q), as deg(G— {k—l)Q) = I, by Riemann-Roch theorem, there exists 
one and only one rational point P G P(Fq) such that G ^ {k — 1)Q + P. Suppose 
there exist rational points Q,P such that G ^ {k — 1)Q + P and P,Q ^ D. Let 
G' = {k — 1)Q + P. Then the codes G^{D, G) and C^{D, G') are equivalent [131 
Proposition 2.2.14]. Here two codes Gi,G 2 C F^ are said to be equivalent if there 
is a vector a = (oi, • • • , a„) G (Fp" such that 

G 2 — a * Gi — { (uiCi, • * * , UnCn) \ (ci, * * * , Cji) G Gi} . 
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It is easy to see that two equivalent codes have the same weight distribution and 
hence the same minimum distance. So it suffices to consider all AG codes of the 
form C^{D, (k — l)Q + P). 


Proposition 14.11 establishes the relation between minimum distance of ECAG 
code and SSP on the rational point group of the elliptic curve. Together with 
Corollaries 13 . 5 1 and 13.61 obtain the main results of this paper, Theorems 1 1. 3lfL5l 
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